WP Malware Scanners

I take a number of security precautions to keep my sites free of malware. But what if malware gets past my defenses? I need to be able to detect it so that I can eradicate it. With WP malware scanners, as with everything else WP, I prefer free. I know of three types of free WP malware scanners: Host-based; Web-based; and Plugins.

wp malware scanners

The malware scanner offered by my host – and by many other hostsĀ – built into cPanel, is ClamAV, although it is labeled simply “Virus Scanner”. It has the advantage of scanning not just my WP site but my entire home directory, including email. On a neglected legacy site with about a decade and a half of email in multiple accounts, I was shocked to find hundreds of infected emails, which ClamAV dutifully exterminated for me.

There are a number of web-based scanners. Three that I know of that are free and do not require me to create an account are Sucuri Site Check, Quttera, and WP Scans. A big advantage of all three is super convenience. I just visit the website and run a scan. Which works best? I have no idea. I suspect each has its plusses and minuses.

And the plugins. There are several. The two that I’ve tried are WordFence and NinjaScanner. The advantage of a plugin scanner is that it works from inside my WP site, so presumably it can find things that external scanners miss. I have a quibble – actually a couple – with WordFence, so I prefer NinjaScanner.

So, which of these WP malware scanners should I use? Why not all of them? They presumably all have strong points. Using multiple scanners would seem to increase my chances of catching even obscure malware. During my monthly site maintenance I alternate among ClamAV, Sucuri Site Check, Quttera, and WP Scans. Annually, I run NinjaScanner.


WPPOV supports freedom from Net Neutrality and the GDPR. The Internet of the people, by the people, for the people, shall not perish from the Earth.